Tor Browser

Tor Browser is the canonical anti-fingerprinting privacy browser — a hardened Firefox fork that routes every connection through the Tor network's multi-relay onion routing, ships with a uniform fingerprint across all users, and is the de-facto reference implementation that every other privacy browser (Mullvad Browser, LibreWolf, Brave's Tor mode) measures itself against. Listed at Grade A · editor's pick because Tor Browser is the foundational tool in the privacy stack: if you only have time to deploy one privacy tool, this is it. Mandatory companion to any serious privacy-tooling effort — operating Monero from a clearnet browser leaks more metadata than Monero itself protects.

Background. Tor Browser is developed and maintained by The Tor Project — a US-registered 501(c)(3) non-profit organisation, with the core development team distributed globally. Built on Mozilla Firefox ESR (extended support release) with extensive anti-fingerprinting patches, bundled with the Tor SOCKS proxy and the NoScript browser extension for JavaScript gating. The Tor network itself (the relay layer Tor Browser routes through) is operated by ~6,000-9,000 volunteer relay operators globally — guard relays, middle relays, and exit relays form three-hop circuits per connection. Funding: a mix of US government grants (BBG / State Department for the open-internet mission), private foundations (Mozilla, Wikimedia, etc.), and direct donations; the funding structure is public at torproject.org/about/financials/. The funding mix is the perennial talking point — see Caveats. Releases: aligned with Firefox ESR (every ~6 weeks for point releases, major versions every ~12 months); built reproducibly with signed releases at torproject.org/download.

What you trust. Multi-relay onion routing — your traffic enters the Tor network at a guard relay, hops through a middle relay, exits via an exit relay; no single relay knows both your IP and your destination. Uniform fingerprint — Tor Browser ships with a deliberately standardised User-Agent, screen size (always 1000×1000 by default), font set, canvas response, WebGL response, and JS environment, so all Tor Browser users look identical to a fingerprinting tracker. NoScript by default — JavaScript is gateable per-site via the NoScript extension; the Security Level slider (Standard / Safer / Safest) controls how aggressive the default gating is. No telemetry — Tor Browser strips Firefox's telemetry pipeline, Mozilla account integration, and other phone-home behaviours. Reproducible builds + signed releases — anyone can verify that downloaded binaries match the published source. Bridge support — for users in censored networks, Tor Browser supports bridges (unlisted entry points), pluggable transports (obfs4, meek, snowflake, webtunnel), and request-a-bridge-via-email/Telegram.

Operational specs. Platforms: macOS, Windows, Linux desktop; Android (official build at torproject.org/download/#android); iOS: no official Tor Browser due to Apple's WebKit-only policy — use Onion Browser (third-party but Tor Project-recommended) instead. Default behaviours: connects to Tor network automatically; opens with about:tor as default homepage; clears history/cookies on browser close. Security Level slider: Standard (JavaScript enabled, all features, lowest privacy floor — for everyday browsing of trusted sites); Safer (JavaScript disabled on non-HTTPS sites, some font/media restrictions); Safest (JavaScript fully disabled, most aggressive — required for the strictest privacy posture; many web apps will break). Tabs are isolated — each first-party origin gets a separate Tor circuit, so connections to site A and site B don't share the same exit relay. New Identity function — wipes all browser state and forces new Tor circuits with a single hotkey (Ctrl+Shift+U). Onion sites — first-class support for .onion v3 addresses; the address bar shows the .onion address with a green-key indicator when an HTTPS Onion site is verified.

Philosophy. Tor Browser's editorial differentiator is the anti-fingerprinting reference implementation — it doesn't just route through Tor (any browser can do that with a SOCKS config); it does the much harder work of making all Tor Browser users look fingerprintably identical, so that even if a tracker correlates "this user keeps coming back," they can't tell which Tor Browser user is which. The trade-off: the standardised fingerprint means you lose per-user customisation (no themes, no add-ons beyond the bundled ones, fixed font set) and the standardised window size means the browser opens at 1000×1000 by default. For users who want a hardened-Firefox-without-Tor (faster, no Tor latency, but loses the network-layer anonymity), Mullvad Browser is the same anti-fingerprinting work without the Tor routing; it's a separate listing at xmr.club. Tor Browser is the canonical Tor-network-plus-anti-fingerprinting bundle.

Grade rationale. Grade A and editor's pick reflect: developed and maintained by the Tor Project (a registered US non-profit with the canonical mission); built on Firefox ESR with extensive anti-fingerprinting patches; uniform-fingerprint design (the canonical reference for what anti-fingerprinting means); reproducible builds + signed releases; no telemetry; bundled NoScript and Security Level slider for adjustable privacy posture; bridge + pluggable transport support for censored networks; first-class .onion v3 support; cross-platform (macOS, Windows, Linux, Android; iOS via Onion Browser); public funding disclosure at torproject.org/about/financials/; over two decades of operational continuity (since 2002); the de-facto reference for any other privacy browser. Last verified 2026-05-13.

Useful when. You're doing anything privacy-sensitive online — researching, communicating, transacting; if it's privacy-adjacent, Tor Browser should be in the stack. You're accessing .onion services — Tor Browser is the only consumer browser with first-class .onion v3 support. You're in a censored network — Tor Browser's bridge + pluggable transport infrastructure is the most mature censorship-circumvention tooling available. You're transacting Monero or any other privacy currency — pairing a privacy coin with a clearnet browser leaks the IP context the privacy coin was supposed to protect. You're a journalist, researcher, or activist in a hostile-networks environment. You're a whistleblower using SecureDrop or another onion-routed submission system. You want a reference implementation to compare other privacy browsers against.

Caveats. Latency — Tor's three-hop architecture adds 200ms-2s of latency per connection; this is the cost of the privacy and is not a fixable issue, it's a property of the threat model. Some sites block Tor exit IPs — Cloudflare's default settings (and many bank/financial sites) treat Tor exit IPs as untrusted and serve CAPTCHAs or outright block. This is a real friction; nothing Tor Browser can fix from the client side. JavaScript Safest mode breaks many sites — modern web apps assume JavaScript; the strictest privacy level often means falling back to bookmarks and pre-saved content. Default 1000×1000 window — designed for fingerprint uniformity, but visually small on large monitors; resizing the window reduces your anonymity set within the Tor Browser cohort (a tracker can fingerprint "this user resized to 1920×1080"). For maximum anonymity, leave default window size. Funding-mix concerns — US government grants (BBG, State Department) are a significant funding source for the Tor Project; this is publicly disclosed at torproject.org/about/financials/ but is a perennial talking point among privacy critics. The argument-for-trust: code is open-source, builds are reproducible, the relay network is decentralised, and the Tor Project's mission alignment is open-internet not surveillance. The argument-for-skepticism: any organisation with US-government funding is plausibly within the influence of US government priorities. Reach your own conclusion based on the threat model and the published financial disclosures. iOS limitations — Apple's WebKit-only policy means no official Tor Browser; Onion Browser is the recommended third-party for iOS but it's a separate trust evaluation. Mobile UX — Tor Browser on Android is functional but less polished than the desktop versions; expect more friction. Browser extensions are restricted — only the bundled NoScript is included; installing other extensions adds fingerprinting surface and is not recommended. Don't log into clearnet accounts — logging into Gmail or Twitter through Tor Browser links your Tor browsing session to your clearnet identity; if anonymity matters, use throwaway accounts created over Tor or skip the login entirely.